With Kureli Sankar
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn from Cisco expert Kureli Sankar how to identify and mitigate network attacks.
Kureli Sankar is an engineer supporting Cisco's firewall team in Research Triangle Park, North Carolina. Her team supports the Cisco Adaptive Security Appliance, Firewall Services Module, Cisco Security Manager, the Content Security and Control module, and the Zone Based Firewall module in Cisco IOS Software. Prior to joining Cisco, Sankar worked for the John Morrell Co., where she was the network administrator in charge of the company's enterprise network covering 27 locations in the United States. She also was an adjunct professor at the University of Cincinnati, teaching undergraduate level networking courses. Sankar holds an engineering degree in electrical and electronic engineering from Regional Engineering College, Trichirappalli, India, and holds CCSP and CCIE Security #35505 certifications.
Remember to use the rating system to let Kureli know if you have received an adequate response.
Kureli might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event lasts through June 15, 2012. Visit this forum often to view responses to your questions and the questions of other community members.
If you are asking about the IPS module, the packet may not even reach the module, depending on the other checks it has to go through.
Unless you have other devices in the perimeter to detect these sort of attacks, the ASA will simply drop these packets when they arrive.
Kureli did an excellent job summarizing this. I would like to add some notes/thoughts. There are several ways that you can protect against scanners on the Cisco ASA (this includes protection against nmap scan and others). Some types of active scans depend on logical network location and will not work though a firewall / IPS depending on your configuration. First you can protect against spoofed scans by usint the Unicast Reverse Path Forwarding (uRPF) feature on the outside interface. Unicast RPF protects against IP spoofing by making sure that all packets have a source IP address that matches the correct source interface according to the routing table.
You can also configure the Scanning Threat Detection on the Cisco ASA. The following link includes information on how to protect against scanning attacks using Thread Detection:
In some cases with network scanners, the first TCP packet may not even be a SYN packet, or the TCP connection failed the 3-way handshake. Full scanning threat detection takes this into consideration and acts on it by classifying hosts as attackers and automatically shunning them. In most cases, scanners create incomplete sessions and as such they sometimes are already blocked by TCP SYN attack protection and enbryonic protection limits. Now, one thing to highlight is that vulnerability scanning traffic can stress network equipment and may flood links. In some cases, you should block this traffic upstream to even avoid this traffic to enter your network link. There are several service providers that provide this protection to their customers by using the Clean Pipes solution. Clean Pipes allows service providers to offer pervasive DDoS mitigation services on a subscription basis or on-demand. These services provide customers with DDoS protection within the provider cloud, preserving network bandwidth and ensuring the availability of applications and services. Arbor has some information on how the Cisco/Arbor Clean Pipes 2.0 solution works:
Pls. keep this link handy. Has the details that Omar mentioned above. I thought I included the link in my response but, missed it.
How to identify and mitigate network attacks.
As far as what Omar is talking about which is to block the attack traffic from even entering your network, you got to read this very very very interesting white paper on RTBH (Remotely Triggered Black Hole). The explains the setup that major ISP have already in place. All you need to do is to provide them with the source IP address or destination IP address and they will route that traffic to NULL thus black holing
Thanks heaps both! I just need to fine tune my threat detection configs on my asa.
That whitepaper is a scorcher!!
time to null0 all those unwanted chinese and taiwanese traffic! lol
I have a quick question for you. What is the easiest way to identify a DoS attack and the best way to restore and prevent these type of attacks on a wireless network?
thanks a lot,
Well, it depends on the attack. Most of them spike the CPU of the box and the unit will start dropping packets. You will notice heavy bandwidth unitlization is this is an internet facing device.
1. If you have NetFlow enabled it might be able to show you the spike in traffic and the sources that are responsible for this.
2. Source track is another method:
3. Use categorization acl to see what kind of traffic is overwhelming the device and from where:
Follow RFC 2827:
1. Only allow traffic sourced from your network address space to leave the outside interface.
2. Do not allow your network address space from sourcing a packet from the outside.
You need to try to do everything possible so, the firewall will not see this attack traffic. Block it at the upstream L-3 device or reach out to the ISP and have them block the traffic at their end.
Read the links that we have included in the previous responses as well. All of them are worth book marking.
For wireless as well as wired networks, most of the companies and schools do, some sort of content filtering to stop them from getting infected.
How to we detect and stop any network scan activities (using nmap or any other tools) automatically using cisco IPS and firewalls.(or any other security devices)?
Are there any default signatures what detect those types of scans or do we need to configure some custom signatures to detect such activties..
thanks in advance.
Like Omar mentioned above you could use TD (Threat Detection) on the ASA:
On the IPS, as you can see here:
|3002/0||TCP SYN Port Sweep||March 07, 2012||Low||S630|
|5725/0||Novell NMAP Agent Buffer Overflow||February 09, 2012||High||S624|
|4062/0||Cisco CSS 11000 Malformed UDP DoS||August 26, 2011||Medium||S591|
|4001/0||UDP Port Sweep||June 13, 2011||High||S573|
|4003/0||Nmap UDP Port Sweep||August 06, 2009||High||S423|
|3003/0||TCP Frag SYN Port Sweep||March 26, 2009||High||S388|
|3046/0||NMAP OS Fingerprint||May 01, 2001||Medium||S3|
3002, 4001, 4003, 3003 and 3046 are the ones that you would want to enable.
Thanks a lot for your response on my post, this will be really in handy.
In fact we were asked by one of our clients that they did network scan but they failed to find that activity on their security devices.
Every packet that the ASA sees will be logged. It depends on what level of logging is configured and what feature logging you expect and what kind of attack it is.
Here is the syslog guide link:
Here is the Thread Detection Feature link:
Look for "syslog" in that above link.
If the packets are dropped due to asp drop then you can see them when you issue "sh asp drop" after a "clear asp drop"
Here is command reference for that:
I have few questions about ASA threat detection and DOS attack prevention.
1.Can we use class-maps or route-maps on the ASA to dynamically learn an IP adress that sends more than certain number of HTTP requests/sec and block that IP for certain time period?
2.We have basic threat detection enabled on our ASA and getting a lot of SCAN threshold exceeded alerts, is it possible to find out which hosts are exceeding the thresholds without shunning them?--TAC said only way to find out the hosts is to shun them, then only they will show up in ASA.
<164>Jun 13 2012 13:09:05: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 12 per second, max configured rate is 10; Current average rate is 15 per second, max configured rate is 5; Cumulative total count is 9083
1. What you can do is say for example you have a webserver behind the ASA, you can configure acl/class-map and set connection
for that particular class. What you are asking is possible with the IDS device. With the ASA you can limit as to how many connections each host can establish with a server that the ASA is protecting.
Refer this link:
2. Check this command out will show you about the scanning host:
The following is sample output from the show threat-detection scanning-threat command:
hostname# show threat-detection scanning-threat
Latest Target Host & Subnet List:
Latest Attacker Host & Subnet List:
on my ASA, I can see this output:
ASA5520# sh threat-detection rate scanning-threat
but with this, I can't see anything:
ASA5520# sh threat-detection scanning-threat target
Latest Target Host & Subnet List:
ASA5520# sh threat-detection scanning-threat attacker
Latest Attacker Host & Subnet List:
How I can see the address of attackers?
Its the same thing for my case also, I don't see anything with sh threat-detection scanning-threat attacker command but we are getting around 10 syslog messages every min saying the thresholds are exceeded
ASA/pri/act# sh threat-detection rate scanning-threat
Average(eps) Current(eps) Trigger Total events
10-min Scanning: 3 3 22170 2323
1-hour Scanning: 3 4 5362 12814
ASA/pri/act# sh threat-detection scanning-threat attacker
The command is "show threat-detection scanning-threat"
not "show threat-detection rate scanning-threat"
You can also try the following:
hostname# show threat-detection statistics host
Average(eps) Current(eps) Trigger Total events
Host:10.0.0.1: tot-ses:289235 act-ses:22571 fw-drop:0 insp-drop:0 null-ses:21438 bad-acc:0
1-hour Sent byte: 2938 0 0 10580308
hour Sent byte: 367 0 0 10580308
24-hour Sent byte: 122 0 0 10580308
Yes I tried "show threat-detection scanning-threat" but it didn't produce any output
ASA/pri/act# show threat-detection scanning-threat
Today is the last day of this ATE event. I am not sure if I can get to the bottom of this. Would you mind opening a TAC case so, we can take a look at it. Feel free to mention my name on the case.
Pls. copy and paste the "sh run threat" output from the ASA.
May be there aren't any scanning threats at the moment. If the rate exceeded syslog is seen then, you probably have to tweek the settings and increase
Issue "show run all threat-detection". The number of triggers of different thresholds can be checked in "show threat-detection rate". Syslog 733100 is related to scanning-rate, adjusting this parameter should be able to resolve too many messages showing up in the syslogs. In this case, tuning the command "threat-detection rate scanning-rate 3600 average-rate 15" stopped too many of these messages being logged. In other cases one may have to increase the scanning-rate and average-rate to a higher value.
Not sure if transparent mode is going to resolve the issue. You still need the same Route and Permission along with optional translation for any flow to work.
We need to look at captures working in the same vlan and delay when separated by the firewall and determin what might be causing the problem.
In the past, with windows file copy and drive mapping issues, we have run into the following:
The problem is that Windows will not allow multiple smb connections on port 445. Subsequent connections will cause the existing connection to be reset.
This behavior is described by Microsoft Article KB301673.
1) Modify the registry on the server per KB301673 to use only port 139 and reboot the server.
2) Block port 445 by ACL on the firewall so that it will be forced to default back to 139.
Give this a shot and let me know if this resolves the issue. Otherwise please open a TAC case as we need to grab captures and analyze them.
Dear Kureli Sankar,
The fix is only available for Microsoft Server 2008, mine is 2010 it didnt work with it.
im out of ideas i eve make the access-list all open ip,tcp,upd any any for all vlans as a test for now so i can check if there is any thing will drop or not , and all the security interfaces are the same and i have same security permit intra and inter for the vlan interfaces
the core is fine , i just dont know what to do any more, do you think it could be Microsoft Problem not Cisco side ?
here is my Thread link you can contiue trobleshooting with me in the thread if this Thread will be closed.
Thanks and Bests Regards
I have a small doubt about telnet, am not sure if this is the right forum to post this query.
I wanted to know if we can use telnet on a non standard port, lets say 6189. I wanted to configure this on a cisco router. May I know the commands to do this
I have used PAT and port-map to do this.
Is there any other way to achieve this?
Plz help. Thanks in advance.......
I wish to integrate to Microsoft Windows 2008 AD. Apparently i am having trouble achieving this due to the error below;
ECSIntFw01# test aaa-server authentication AD1 username fraxxx password$ xxxx
Server IP Address or name: 10.3.1.10
INFO: Attempting Authentication test to IP address <10.3.1.10> (timeout: 12 seconds)
ERROR: Authentication Server not responding: AAA Server has been removed
My aim is in setting up Identity Options that would either help to allow/restrict permission based on users and/or groups that exist in the Active Directory Domain.